A Journey in Payment world – Part 2: the only part you need

The only part needed?

(missed the part 1? Read it here)

Making a serie with a part 2 titled “the only part you need” is probably a little misleading. Fact is, just after having picked up Stripe as our provider and Peter Keen’s nice book, we jumped right into getting our whole payment system up, from credit card to invoicing. Time was short, but we needed that anyway.

This may be one of the reasons we missed a much faster way to get our first payments in, business speaking that I’ll outline in this post – hence the “only part you need”.

What you really need – single payment

Let’s back one minute to the business need. What you really need is a customer to be able to pay. Meaning, you need to be able to charge and invoice him.

Now, considering that you provide a SaaS, that should ideally be handled in your app: from the customer’s side, he just needs a form for his/her credit card. On your side, you don’t want to validate and store a credit card yourself (your application is most probably not PCI compliant), and those are very sensitive data. Stripe allows you to use the credit card without ever storing it yourself. This way, your system is actually PCI compliant – because the part that need to follow those rules is handled by Stripe, not by your application.

Getting the Credit Card information

You just have to create the form on your site, but the form is not going to submit the credit card information to your server.

Instead, it use a Stripe-provided JavaScript to submit it toward the Stripe server.

<form action="" method="POST">
  <script
    src="https://checkout.stripe.com/checkout.js" class="stripe-button"
    data-key="pk_yourdatakey"
    data-amount="2000"
    data-name="PullReview"
    data-description="1 month subscription (€20.00)"
    data-image="/128x128.png">
  </script>
</form>

Checkout make it very easy to have a quick working solution, but is not that customizable. If you want your form to fully integrate in your website, you can look at stripe.js that offers the same service with your form being totally under your control – with a little more work.

Should it succeed, Stripe will send back a token that your page can then send back to your server:

The token can then be used to charge the card without your application having to store or know the exact credit card information.

Note that in order to identify you, you need to send your Stripe key with all calls you do from either your page or server. As the one used on the browser is actually visible, it is a public key. For all server to Stripe communications, you actually use a (different) private key, that is never shown to any user-visible content.

Of course, you should still use HTTPS for those interactions, enabling it on your webserver and in Rails:

production.rb

# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.

config.force_ssl = true

Charging

Charging can then be done with a single call to the Stripe API. While not complicated, we’ll see a bit below that even this part is optional.

Stripe provides a gem for this. Note the usage of the source here – we want to be sure we’re getting this gem from Stripe and no one else.

Gemfile

source 'https://code.stripe.com'
source 'https://rubygems.org'

gem 'stripe'

The API require you to set the (private) key before making any calls. This can be done just before calling, or in an initializer:

stripe_initializer.rb

Stripe.api_key = ENV['STRIPE_API_KEY']

Note that the API key is actually loaded using an environment variable. This has a double advantage: allowing easy switch between the production key and the test key depending on the environment (development and staging toward “test”, production toward “live”), and to avoid having the key visible in your code and version control.

That you can use like this:

begin
  charge = Stripe::Charge.create(
    :amount => 1000, # amount in cents, again
    :currency => "usd",
    :card => token,
    :description => "payinguser@example.com"
  )
rescue Stripe::CardError => e
    # The card has been declined
end

You can actually test this on end to end, using Stripe-provided credit cards. Congratulation, you are able to sell any product or service and charge your customer for them.

What you really need – recurring payment

Now, if your good or service is not a “one time payment”, the “fire & forget” approach used above may not suit you. PullReview is sold as a subscription, so we need to be able to charge our customer each month, as long as they decide to stay with the service.

Now, remember this “one time token” we just talk about? It can actually be used exactly the same way for a very different purpose: creating a Customer in Stripe:

# Create a Customer
customer = Stripe::Customer.create(
  :card => token,
  :description => "payinguser@example.com"
)

Stripe’s Customer has an id field that you can store, along with some safe information about the credit card, like the card type, expiration date and four last digit (and actually any other you want, via a metadata field). It will not give you the full card info, which is again actually a good thing: it allows to store only the information you need.

It can also store the customer’s plan – something I’ll cover in a next post.

You can use the customer’s id in place of the one time token to charge:

begin
  charge = Stripe::Charge.create(
    :amount => 1000, # amount in cents, again
    :currency => "usd",
    :customer => customer.id,
    :description => "payinguser@example.com"
  )
rescue Stripe::CardError => e
  # The card has been declined
end

But actually, this part is not even needed for now, as there is another way to charge a customer.

The stripe interface

Stripe is not only delivering a service but also an interface. On that, you can for instance look at your customer list:

But it can do much more than that: picking a customer actually allows you to charge him:

This means that once the card is in, you can do everything else manually – your system can receive payments.

Manual is ok – it is actually even good

“But I don’t want to do things manually”.

Me neither. This is one of the reasons we are programmers. But as the rest of the series will shows, there is still a lot to do before having all parts in place (logs, plans, error reactions, VAT, invoices…) – but all of those parts are provider facing, meaning you can manage them as you want.

If you’re starting or contemplating to integrate a billing system, it means you want to start charging customers, but except if you expect 1000 to signup in the first month, chances are good you’ll be able to follow up manually quite easily. If not – well, that’s a nice problem to have.

So get your calculator and text editor, compute that VAT if needed, charge using Stripe and write a nice invoice for your customer. There will be time enough to do the rest of the road – why wait when you can start charging for your service?

See you next week for part 3 – what’s happening here?

Rubies, Gems and Dollars – a journey in the payments world – Part 1: The backpack

1 Reply

Update: Part 2 available

This is the first post of a short series about our experience of integrating payments into PullReview. My objective is to be as practical as possible. There will be code, but also some reflexion/question that are not strictly technical.

Why a short series? Because the material to cover is quite large for a single post, and I’ve discovered shorter pieces are both easier to write and more agreeable to read, so hopefully we both win here.

While this series is of course linked to our technical environment (Ruby on Rails) and provider pick (Stripe), it should be useful to most shops regardless of the exact technology and provider used – most of those problems will arise whatever the technology and payment solution.

Being the first post, it is more about starting up – notably picking a payment provider.

Billing is an epic, not a story

We’re a small shop, we see ourself as nimble, our sprints are one week long, and I like to say that most features are not extending the sprint duration. Yet the billing “feature” proved itself to be a complex one, which means you should try to divide it as much as you can (we did not/not enough, and it did bites us). The various posts are one way (among a lots of other) to split the work.

While fully integrating billing features into the application is not trivial technically speaking, don’t underestimate the business complexity. There are a lot of “small things that matters” to be decided – except of course if you already have your full payment/billing workflow thought out end to end, but that was not our case.

Gateways, payment providers and… Europe

We’re an European (Belgian) shop, and the situation about online payment in Europe is still lagging behind the one in the US. This means initially less choices. When we started looking for payment, Stripe was still present only in the UK, and the similar offers were few and far between. The environment is moving quickly (Stripe coming to Europe, PayPal acquiring BrainTree), so be sure to look by yourself before starting.

The “traditional” way of enabling payment was to integrate with Ogone, a Belgian based gateway. Tales from the trenches were rather bloody, as the integration had to be done on a quite low level.

Pick a product

I recommend you to take a look at the “full solutions” and pick one. Beside Stripe (which is probably the best known), you’ll find companies like BrainTree or PayMill. You’ll be in good company in any of them (BrainTree is used by GitHub & AirBnB, PayMill has build a nice list of customers in Europe, Stripe has numerous big names also like 4square or Rackspace).

Those kind of solutions are PCI compliant (which is something you want and don’t want to do yourself) and does not require any kind of merchant account.

We also are used to pick solutions quickly (the cost of the research may quickly invalidate any advantage of picking the “best” solution). We picked up Stripe when I received a beta invite the day we had to pick products. Our expectation was that it was used by a lot of people, and so probably quite mature and adequate to our (standard) needs.

If you are also using Ruby on Rails, I recommend buying and reading the Modern Payment with Stripe ebook from Peter Keen.

What you need (admin side)

In order to explain my “pick a full stack solution” argument, the setup on Stripe was limited to fill in basic information about our business:

Add a bank account (of course) and some account holders and you are good to go. Stripe is doing some background checks (legally required), but those were done in a couple of days and not blocking anything.

Even better: as Stripe will initially setup your account in “test”, even those information are not required. Stripe “test” environment allows you to do anything you want – except charging real money.

That’s good, as we want to do some tests first.

Stripe has a lots of options, and the road to billing is long, but a single step can actually allows you to do the single thing you need: charge a customer. That will be for the part 2 – “the only part you need”.

Code Review – why the tooling matters

6 Replies

A tale of two teams

Several months ago at 8th color, we did setup a rule of “no story should be closed without a code review”. This has worked well for us so far.

Two weeks ago, I was at my consultancy gig, discussing about the Definition Of Done. Everyone was asked to write down on post-it every condition needed for a story to be “done”. We then shared those on a wall. I did contribute one with “has been code reviewed” on it. We were not doing it, but this looked like a good opportunity to start. Knowing that the convincing/evangelize part is always the most important, I expected some disagreements, but eventually got few, with the team enthusiastically agreeing to start systematic code reviews on the next sprint.

I thought it would be as simple to setup as at 8th color.

I thought the obstacle was human.

I was wrong.

A simple task

At 8th color, we use Git for version control, and GitHub as interface (and hosting) to it. GitHub double as our issue tracker.

Making a code review is a complicated task, but one with almost no overhead: I get a mail when a new PullRequest is created (we do of course use feature branches). I can then assign it to me, look at the changes made in each file and comment in the code for any question or advice I could have. I can even commit update, should I want to.

Or not so simple

At the consultancy gig, we use SVN, and mostly Eclipse SVN integration as interface, with Jira as issue tracker.

My colleague Xavier had a story finished, and in our daily stand-up, he told the team he was waiting a review. He was kind enough to create a subtask for me to review his code. Then the problems started.

1. Identifying the files impacted

My first objective was to get a list of all the changes he made. Now, with SVN, we’re not using feature branches, and are instead all committing on the trunk. I started reviewing the history using Eclipse’s SVN integration. Luckily, Xavier had put the issue number in all his commits logs. Also, as the issue was recent, I did not had to dig too deep. This means I was able to get the list of changed files: two were updated and two others were new.

Still, this was already non straightforward and error prone: should Xavier had forgotten to annotate one commit log, I would never have found it (hell, maybe it is the case).

2. Reading the changes

With the list, I could then ask SVN (still via Eclipse) to show me the changes in the two updated files. Thanking Eclipse for contextual help, I was able to ask it to make a diff between the revision I was looking for and the previous one, thus getting only the last changes.

Eclipse’s diff is rather good – at least, it was always good enough for me to take a quick look or to merge changes. This was something different: what I wanted here was a view of all lines that had been added or deleted, and it was not that clear.

After some back & forth work between the standard editor and the diffed version, I was able to identify some redundancy in the new classes, along with some other minors stuff. Unto next problem.

3. Communicating feedback

Now, of course, those notes have no value at all if I don’t communicate them back to Xavier… But I have no direct way to annotate the code, so I had to get back my various comments into the Jira issue. As I wanted him to have it a bit easier than I did, I got back to Eclipse to note filenames and line numbers, so that he could jump easily in. This took some time again.

Overhead

This may seems a bit too much, but it is the exact situation I experienced last week. 35 minutes of archeo-codology (thanks Stéphan for the neologism) for maybe 10 minutes of actual review. My problem is not just with the cost: there are arguments enough to not do code review, so I need it to be as frictionless as possible. I was even lucky: the change was small, the code rather good.

Tooling matters

Why is my experience at 8th color so good and this one so bad? One word: Tooling.

Git allows us to make feature branches – which means listing the changes for a given story is a trivial task – whatever tool you are using.

GitHub has a nice UI for compare and Pull Requests that shows every line added and deleted. It also allows for conversation directly in the code. Pull Requests double as issues, so you don’t need an additional state. GitHub also notifies me when a new PullRequest is created.

I was missing everything there. No notification, so no way to know when a review is needed. No clear way to list the changes. No way to annotate them, to discuss.

How to start?

Now, not every team can switch to GitHub overnight. I wont be able to change the corporate rules at my consultancy gig either.

Still, take a look at Git: feature branches is the single one feature that had sold Git to me. Nothing else. Git is also very good at being integrated in existing VCS systems, so you may be able to manage it in your own team without requiring a company wide change.

If you cannot host on GitHub (for instance because the code need to stay inside the company walls, a typical requirement), see if you can install GitLab. It is an open source package that replicates most of GitHub features, notably Pull Requests.

Tweak your issue system to notify the team when a review is asked for. This can be done for instance with a specific state on Jira and a workflow action.

To be sure that people does not forget to put the issue in the commit log (discipline is hard), you can implement a commit check (that would reject the commit if no issue is specified). To help with that, you can also use something like Mylyn, that would allow the developer to specify in one click which issue he’s working on, and will add its reference to each commit.

If you are stuck on another VCS, get help by installing a code review tool like Crucible. Crucible allows you to search and cherry pick the commits you want to review. It make the whole “look at the changes and discuss them” much easier. Licence starts at 10$ – what are you waiting for? Another option is to look at “pre commit” tools like ReviewBoard (that can create reviews before you even commit, by submitting a patch).